On Sat, 4 Mar 2000, John Grant wrote:
Jussi Laako said:
Rune Kristian Viken wrote:
vulnerability. The only responsible thing to do, is to publish the exploit to as many security-mailinglists as possible, and let admins disable the buggy service.
After that it's race against time from sysadmin's point of view. Is admin fast enough to disable that service before someone breaks in? If only few peoples know about security vulnerability it's less likely that someone uses it in your system. If every script kiddie knows about it, then it's much more likely...
Isn't it the SysAdmin's job (among others) to be quick in responding to security announcements?
How many people sit 24/7 reading security mailinglists?
So what's the option? Only release security announcements during working hours? Working hours in which time zone? A report released at 5pm Friday, may not be read until 9am Monday (or Tues if it happens to be a bank holiday) the next week. Are those who do keep up with their mail ment to be left open to attacks because some people may not read their mail for a few days? What about those people who admin their servers in their free time? I do most of my admin work between the hours of 10pm and 2am. One of the asumptions that has to be made (and I'd feel justified in making this assumption) is that people who are involved in security are aware of how time critical some things are, and will take the required steps to ensure they're server is not unprotected longer than they deem acceptable.
No SA worth the title would need to take that much time to keep up. Besides, that's like asking, "what if the night-watchman falls asleep?".
What if sysadmin is at weekend trip with his sailing boat?
I have all urgent mail (inc. some security reports) routed to my Mobile phone (via procmail and an SMS filter thing), I can't be the only person who has done that. It has been known for me to fix problems with a mail server, over SMS, while I've been at college, in a maths tute. Just because an admin isn't at a terminal, doesn't mean they can't do anything about it. Even while I was out of the country I recieved status reports on my servers, and if a security report had been released, I'd have received it and either found an internet cafe, or mailed the other admin and asked him to fix it. Security isn't a 9 'til 5 job.
If the night-watchman takes the weekend off then you get someone to take his place. Or you do without, make sure you lock the doors as best you can, and take your chances.
Well said. /cog